]> Pileus Git - ~andy/linux/commitdiff
projects / ~andy / linux / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 50804fe)
vfs: Allow chroot if you have CAP_SYS_CHROOT in your user namespace
authorEric W. Biederman <ebiederm@xmission.com>
Tue, 31 Jul 2012 08:14:12 +0000 (01:14 -0700)
committerEric W. Biederman <ebiederm@xmission.com>
Mon, 19 Nov 2012 13:59:17 +0000 (05:59 -0800)
Once you are confined to a user namespace applications can not gain
privilege and escape the user namespace so there is no longer a reason
to restrict chroot.

Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
fs/open.c patch | blob | history

diff --git a/fs/open.c b/fs/open.c
index 59071f55bf7fe97545cc691e5dc845a05cbe8f64..182d8667b7bd57f5c3c6f738dcdeed0b18c0cbe6 100644 (file)
--- a/fs/open.c
+++ b/fs/open.c
@@ -435,7 +435,7 @@ SYSCALL_DEFINE1(chroot, const char __user *, filename)
                goto dput_and_out;
 
        error = -EPERM;
-       if (!capable(CAP_SYS_CHROOT))
+       if (!nsown_capable(CAP_SYS_CHROOT))
                goto dput_and_out;
        error = security_path_chroot(&path);
        if (error)
Andy's Linux Kernel repo